Bug 1213775 (CVE-2015-3146) - CVE-2015-3146 libssh: null pointer dereference due to a logical error in the handling of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets
Summary: CVE-2015-3146 libssh: null pointer dereference due to a logical error in the ...
Status: CLOSED ERRATA
Alias: CVE-2015-3146
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150430,repor...
Keywords: Security
Depends On: 1214622 1218076 1218077
Blocks: 1213779
TreeView+ depends on / blocked
 
Reported: 2015-04-21 09:24 UTC by Vasyl Kaigorodov
Modified: 2015-07-14 15:28 UTC (History)
6 users (show)

Fixed In Version: libssh 0.6.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-28 10:54:49 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Suggested patch (3.36 KB, text/plain)
2015-04-21 13:58 UTC, Vasyl Kaigorodov
no flags Details

Description Vasyl Kaigorodov 2015-04-21 09:24:38 UTC
libssh versions 0.5.1 and above have a logical error in the handling of a
SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not set
the session into the error state correctly and further processed the packet
which leads to a null pointer dereference. This is the packet after the initial
key exchange and doesn't require authentication.

Both client and server are are vulnerable, pre-authentication and pre-crypto
and and can be explointed with a MITM attack. This could be used for a
Denial of Service (DoS) attack.

Acknowledgements:

Red Hat would like to thank the libssh team for reporting this issue. The libssh team acknowledges Mariusz Ziulek from the Open Web Application Security Project (OWASP) as the original reporter.

Comment 2 Vasyl Kaigorodov 2015-04-21 13:58:05 UTC
Created attachment 1016896 [details]
Suggested patch

Comment 3 Stef Walter 2015-04-21 14:46:21 UTC
The former patch applies to libssh 0.6.4 cleanly. The latter patch does not (perhaps against a different 0.6.x).

Brew build for RHEL 7: https://brewweb.devel.redhat.com/taskinfo?taskID=9017188

Comment 10 Andreas Schneider 2015-04-30 14:06:33 UTC
libssh 0.6.5 has been released to address the issue!

https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/

Comment 11 Martin Prpič 2015-05-04 07:55:31 UTC
External References:

https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/

Comment 12 Martin Prpič 2015-05-04 07:56:10 UTC
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1218076]
Affects: epel-all [bug 1218077]

Comment 13 Fedora Update System 2015-05-14 11:15:45 UTC
libssh-0.6.5-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-05-21 05:12:27 UTC
libssh-0.6.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-05-26 21:27:07 UTC
libssh-0.5.5-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-07-14 15:28:48 UTC
libssh-0.7.1-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.